Hello
Yesterday for about 10 minutes no services where working at a cPanel server of mine. Ι immediately investigated the issue and I found out that an attacked managed to have full access to the server as root using sudo! At /var/log/secure :
It seems that the attacker managed to create a user called "firefart", which he used to create a super-user "darkangel". Please note that HACKEDWEBSITE had no shell access checked at its account (none cPanel account has). Of course at the end the attacker cleared bash history for root.
Server specs:
- CENTOS 6.9 x86_64 standard
- cPanel & WHM 64.0 (build 24)
Has anybody an idea on how this may have happened?
Yesterday for about 10 minutes no services where working at a cPanel server of mine. Ι immediately investigated the issue and I found out that an attacked managed to have full access to the server as root using sudo! At /var/log/secure :
Code:
....
Jun 6 13:21:52 SERVERNAME sshd[13966]: Accepted password for firefart from XXX.XXX.XXX port 28953 ssh2
Jun 6 13:21:52 SERVERNAME sshd[13966]: pam_unix(sshd:session): session opened for user firefart by (uid=0)
...
Jun 6 13:24:25 SERVERNAME su: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun 6 13:24:25 SERVERNAME su: PAM adding faulty module: /lib64/security/pam_fprintd.so
Jun 6 13:24:25 SERVERNAME su: pam_unix(su:session): session opened for user root by firefart(uid=0)
...
Jun 6 13:29:13 SERVERNAME sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun 6 13:29:13 SERVERNAME sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so
Jun 6 13:29:13 SERVERNAME sudo: root : TTY=pts/2 ; PWD=/home/HACKEDWEBSITE/public_html/modules/news ; USER=root ; COMMAND=/usr/sbin/useradd -ou 0 -g 0 darkangel
Jun 6 13:29:13 SERVERNAME useradd[23620]: new user: name=darkangel, UID=0, GID=0, home=/home/darkangel, shell=/bin/bash
....
Jun 6 13:32:55 SERVERNAME sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun 6 13:32:55 SERVERNAME sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so
Jun 6 13:32:55 SERVERNAME sudo: root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/cat /home/HACKEDWEBSITE/public_html/modules/news/
....
Jun 6 13:36:54 SERVERNAME sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun 6 13:36:54 SERVERNAME sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so
Jun 6 13:36:54 SERVERNAME sudo: root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/rm /root/.bash_history
...
It seems that the attacker managed to create a user called "firefart", which he used to create a super-user "darkangel". Please note that HACKEDWEBSITE had no shell access checked at its account (none cPanel account has). Of course at the end the attacker cleared bash history for root.
Server specs:
- CENTOS 6.9 x86_64 standard
- cPanel & WHM 64.0 (build 24)
Has anybody an idea on how this may have happened?